Statement on backdoor in xz library

March 30, 2024 posted by Nia Alarie

Recently, a backdoor was discovered in the xz compression library. xz/liblzma are included as a part of NetBSD and used by the project for distribution of new releases and packages.

The version of xz shipped in all stable (and unstable) versions of NetBSD predates any code changes by the author of the backdoor. NetBSD is therefore safe and unaffected by the recent discoveries. It is believed that the attack only targets Linux/glibc, but checking this allowed us to rule out any other attempts at compromising the library by the author.

The version of xz shipped in pkgsrc, however, is affected. Using xz from pkgsrc is a non-default setting on NetBSD, and requires explicit opt-in. Most users of NetBSD will not install xz from pkgsrc because the version from the base system is preferred. However, users of pkgsrc on other platforms will need to take precautions.

Regardless of NetBSD being affected or not, the discovery of the backdoor is a wake-up call and further discussion will be happening internally over how to proceed.




Some more info is noted here:

Posted by John on March 30, 2024 at 02:03 PM UTC #

This is such a amazing blog post. Thanks for the sharing. <a href="">Doglikesbest</a>

Posted by Graham on April 22, 2024 at 09:55 AM UTC #

That was so amazing.

Posted by kyconnect gov on May 24, 2024 at 08:39 AM UTC #

A really great stuff you have shared with us. Keep up the great work. Amazing!

Posted by Affordable Care Act on May 30, 2024 at 10:07 AM UTC #

Post a Comment:
  • HTML Syntax: NOT allowed